github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-05-14 19:17:07 +00:00
Code Issues Projects Releases Wiki Activity
Files
30bfa2dfccec01aa84dcb8e07f8f77c72f91b126
kata-containers/src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json
Dan Mihai 30bfa2dfcc genpolicy: use CoCo settings by default 
- "confidential_emptyDir" becomes "emptyDir" in the settings file.
- "confidential_configMap" becomes "configMap" in settings.
- "mount_source_cpath" becomes "cpath".
- The new "root_path" gets used instead of the old "cpath" to point to
  the container root path..
- "confidential_guest" is no longer used. By default it gets replaced
  by "enable_configmap_secret_storages"=false, because CoCo is using
  CopyFileRequest instead of the Storage data structures for ConfigMap
  and/or Secret volume mounts during CreateContainerRequest.
- The value of "guest_pull" becomes true by default.
- "image_layer_verification" is no longer used - just CoCo's guest pull
  is supported.
- The Request input files from unit tests are changing to reflect the
  new default settings values described above.
- tests/integration/kubernetes/tests_common.sh adjusts the settings for
  platforms that are not set-up for CoCo during CI (i.e., platforms
  other than SNP, TDX, and CoCo Dev).

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-28 18:30:13 +00:00

1133 lines
32 KiB
JSON
Raw Blame History

[
{
"description": "create container request for first container",
"allowed": true,
"request": {
"type": "CreateContainer",
"OCI": {
"Annotations": {
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"io.katacontainers.pkg.oci.container_type": "pod_container",
"io.kubernetes.cri.container-type": "container",
"io.kubernetes.cri.sandbox-cpu-period": "100000",
"io.kubernetes.cri.sandbox-cpu-quota": "0",
"io.kubernetes.cri.sandbox-cpu-shares": "2",
"io.kubernetes.cri.sandbox-id": "257a671dd451a8bf7ea4950d722106db358ef5ded2997c60f7dc1101b31b727a",
"io.kubernetes.cri.sandbox-memory": "0",
"io.kubernetes.cri.sandbox-name": "busybox",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.sandbox-uid": "eb1495ed-331a-44ff-ad6d-fce1a69280cd",
"io.kubernetes.cri.container-name": "first-test-container"
},
"Hooks": null,
"Hostname": "busybox",
"Linux": {
"CgroupsPath": "/kubepods/besteffort/podeb1495ed-331a-44ff-ad6d-fce1a69280cd/4878266238663ca723dc5ecbd8b2d06a56c2d5e562eeb77b492046a267c50951",
"Devices": [],
"GIDMappings": [],
"IntelRdt": null,
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"MountLabel": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
}
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
],
"Resources": {
"BlockIO": null,
"CPU": {
"Cpus": "",
"Mems": "",
"Period": 0,
"Quota": 0,
"RealtimePeriod": 0,
"RealtimeRuntime": 0,
"Shares": 2
},
"Devices": [],
"HugepageLimits": [],
"Memory": null,
"Network": null,
"Pids": null
},
"RootfsPropagation": "",
"Seccomp": null,
"Sysctl": {},
"UIDMappings": []
},
"Mounts": [
{
"destination": "/proc",
"source": "proc",
"type_": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"source": "tmpfs",
"type_": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"source": "devpts",
"type_": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/mqueue",
"source": "mqueue",
"type_": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"source": "sysfs",
"type_": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"source": "cgroup",
"type_": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
},
{
"destination": "/etc/hosts",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-e9bb691ee0df3258-hosts",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/dev/termination-log",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-c57801af2d60a6e8-termination-log",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/etc/hostname",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-ca728aaeede4bb80-hostname",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/etc/resolv.conf",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-cfc6eca9fd2d0cce-resolv.conf",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/dev/shm",
"source": "/run/kata-containers/sandbox/shm",
"type_": "bind",
"options": [
"rbind"
]
},
{
"destination": "/var/run/secrets/kubernetes.io/serviceaccount",
"source": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-bbb1a5bd88623ac4-serviceaccount",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"ro"
]
}
],
"Process": {
"Args": [
"sleep",
"3600"
],
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Inheritable": [],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"ConsoleSize": null,
"Cwd": "/",
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"NoNewPrivileges": false,
"OOMScoreAdj": -998,
"Rlimits": [],
"SelinuxLabel": "",
"Terminal": false,
"User": {
"AdditionalGids": [
0
],
"GID": 0,
"UID": 0,
"Username": ""
}
},
"Root": {
"Path": "/run/kata-containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs",
"Readonly": false
},
"Solaris": null,
"Version": "1.1.0",
"Windows": null
},
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"devices": [],
"sandbox_pidns": false,
"shared_mounts": [],
"storages": [],
"string_user": null
}
},
{
"description": "create container request for second container",
"allowed": true,
"request": {
"type": "CreateContainer",
"OCI": {
"Annotations": {
"io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"io.katacontainers.pkg.oci.container_type": "pod_container",
"io.kubernetes.cri.container-type": "container",
"io.kubernetes.cri.sandbox-cpu-period": "100000",
"io.kubernetes.cri.sandbox-cpu-quota": "0",
"io.kubernetes.cri.sandbox-cpu-shares": "2",
"io.kubernetes.cri.sandbox-id": "257a671dd451a8bf7ea4950d722106db358ef5ded2997c60f7dc1101b31b727a",
"io.kubernetes.cri.sandbox-memory": "0",
"io.kubernetes.cri.sandbox-name": "busybox",
"io.kubernetes.cri.sandbox-namespace": "default",
"io.kubernetes.cri.sandbox-uid": "eb1495ed-331a-44ff-ad6d-fce1a69280cd",
"io.kubernetes.cri.container-name": "second-test-container"
},
"Hooks": null,
"Hostname": "busybox",
"Linux": {
"CgroupsPath": "/kubepods/besteffort/podeb1495ed-331a-44ff-ad6d-fce1a69280cd/4878266238663ca723dc5ecbd8b2d06a56c2d5e562eeb77b492046a267c50951",
"Devices": [],
"GIDMappings": [],
"IntelRdt": null,
"MaskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"MountLabel": "",
"Namespaces": [
{
"Path": "",
"Type": "ipc"
},
{
"Path": "",
"Type": "uts"
},
{
"Path": "",
"Type": "mount"
}
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
],
"Resources": {
"BlockIO": null,
"CPU": {
"Cpus": "",
"Mems": "",
"Period": 0,
"Quota": 0,
"RealtimePeriod": 0,
"RealtimeRuntime": 0,
"Shares": 2
},
"Devices": [],
"HugepageLimits": [],
"Memory": null,
"Network": null,
"Pids": null
},
"RootfsPropagation": "",
"Seccomp": null,
"Sysctl": {},
"UIDMappings": []
},
"Mounts": [
{
"destination": "/proc",
"source": "proc",
"type_": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"source": "tmpfs",
"type_": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"source": "devpts",
"type_": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/mqueue",
"source": "mqueue",
"type_": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"source": "sysfs",
"type_": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"source": "cgroup",
"type_": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
},
{
"destination": "/etc/hosts",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-e9bb691ee0df3258-hosts",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/dev/termination-log",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-c57801af2d60a6e8-termination-log",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/etc/hostname",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-ca728aaeede4bb80-hostname",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/etc/resolv.conf",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-cfc6eca9fd2d0cce-resolv.conf",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"rw"
]
},
{
"destination": "/dev/shm",
"source": "/run/kata-containers/sandbox/shm",
"type_": "bind",
"options": [
"rbind"
]
},
{
"destination": "/var/run/secrets/kubernetes.io/serviceaccount",
"source": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9-bbb1a5bd88623ac4-serviceaccount",
"type_": "bind",
"options": [
"rbind",
"rprivate",
"ro"
]
}
],
"Process": {
"Args": [
"sleep",
"3600"
],
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"Inheritable": [],
"Permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"ConsoleSize": null,
"Cwd": "/",
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"NoNewPrivileges": false,
"OOMScoreAdj": -998,
"Rlimits": [],
"SelinuxLabel": "",
"Terminal": false,
"User": {
"AdditionalGids": [
0
],
"GID": 0,
"UID": 0,
"Username": ""
}
},
"Root": {
"Path": "/run/kata-containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9/rootfs",
"Readonly": false
},
"Solaris": null,
"Version": "1.1.0",
"Windows": null
},
"container_id": "22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"devices": [],
"sandbox_pidns": false,
"shared_mounts": [],
"storages": [],
"string_user": null
}
},
{
"description": "test exec process in first container with correct args",
"allowed": true,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with incorrect args",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"foo"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with Terminal=true",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b300",
"string_user": null,
"process": {
"Terminal": true,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with non-empty capabilities",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b302",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": {
"Ambient": [],
"Bounding": [
"CAP_CHOWN"
],
"Effective": [],
"Inheritable": [],
"Permitted": []
},
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with different Cwd",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b303",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/tmp",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with NoNewPrivileges=true",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b304",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": true,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with non-null/different User",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b305",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 1000,
"GID": 1000,
"AdditionalGids": [],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with additional environment variables",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b306",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc",
"TERM=xterm",
"PROBE_TYPE=liveness"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with multi-arg command",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b308",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"test1",
"--flag"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process in first container with non-null selinuxLabel",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "system_u:system_r:container_t",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process in first container with random ApparmorProfile",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": "localhost/root-user"
}
}
},
{
"description": "test exec process in first container with random string_user",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": {
"uid": "0",
"gid": "12",
"additional_gids": []
},
"process": {
"Terminal": false,
"ConsoleSize": null,
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": "",
"ApparmorProfile": ""
}
}
},
{
"description": "test exec process in second container with first container args",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "test exec process with invalid container_id",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "1070be4405d02db09ddaa02b73c0670f5fe5511d5efb45608da2366074dc4e08",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b24f",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"bar"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
},
{
"description": "remove first container",
"allowed": true,
"request": {
"type": "RemoveContainer",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"timeout": 0
}
},
{
"description": "test exec process fail for first container",
"allowed": false,
"request": {
"type": "ExecProcess",
"container_id": "88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9",
"exec_id": "05e07bbb-d06c-402d-b9b7-e6386935b200",
"string_user": null,
"process": {
"Terminal": false,
"ConsoleSize": null,
"User": {
"UID": 0,
"GID": 0,
"AdditionalGids": [
0
],
"Username": ""
},
"Args": [
"test1"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=busybox-cc"
],
"Cwd": "/",
"Capabilities": null,
"Rlimits": [],
"NoNewPrivileges": false,
"OOMScoreAdj": 0,
"SelinuxLabel": ""
}
}
}
]
Reference in New Issue View Git Blame Copy Permalink